Skip to content

Proof-of-concept for adding attested TLS server #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ameba23 wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Proof-of-concept for adding attested TLS server #20

ameba23 wants to merge 8 commits into from
+1,930 −402

Conversation

@ameba23
Copy link

@ameba23 ameba23 commented Jan 29, 2026
edited
Loading

This shows where how i would imagine to integrate attested-tls server into the rproxy http proxy server.

Its proof of concept in that there is no error handling, and currently does not take any attestation configuration - just demonstrates how the pieces could fit together.

Also note this does not [currently] add nested TLS - it simply uses the TLS key and certificate from the config for attested TLS.

This compiles but is not tested. @0x416e746f6e whats the best way to test this - do you have some kind of test setup for rproxy?

I did a cargo update to get around some dependency conflicts. If you prefer i only update the directly relevant crates let me know.

Also worth noting - this introduces a dependency on openssl. Its not used by attested-tls directly but when retrieving collateral from PCCS during attestation verification via reqwest.

Still missing:

0x416e746f6e
0x416e746f6e reviewed Jan 29, 2026
View reviewed changes
crates/rproxy/src/server/proxy/http/proxy.rs
None
};

let server = if let Some(attested_tls_server) = attested_tls_server {
Copy link
Member

@0x416e746f6e 0x416e746f6e Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question:

this doesn't seem to implement nested TLS (self-signed CA with attestation primitives stream inside public CA rooted TLS stream). instead it's either one or the other. am I correct?

Copy link
Author

@ameba23 ameba23 Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, no. I didn't get that far. I first just want to establish that this works at all.

@ameba23
Copy link
Author

ameba23 commented Jan 30, 2026

i can confirm i successfully rproxied a request with this.

But one thing which bit me is that alloy_rpc_client::RpcClient (which i was using to test this) by default will omit the params field in the request JSON if it is empty (rather than adding "params": []). This causes the error data did not match any variant of untagged enum JrpcRequestMetaMaybeBatch. I needed to put in a serde_json::Value::Null to get it to add the field.

Next steps: Ideally i would like to write a unit test which demonstrates using attested-tls, To be able to iterate a bit faster and know it still works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0x416e746f6e 0x416e746f6e 0x416e746f6e left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ameba23 @0x416e746f6e